//  Copyright (c) 1992 - 1997  Microsoft Corporation.  All Rights Reserved.

#ifndef _CHECKBMI_H_
#define _CHECKBMI_H_

#ifdef __cplusplus
extern "C" {
#endif

//  Helper
    __inline BOOL MultiplyCheckOverflow(DWORD a, DWORD b, __deref_out_range( == , a * b) DWORD *pab)
    {
        *pab = a * b;
        if((a == 0) || (((*pab) / a) == b))
        {
            return TRUE;
        }
        return FALSE;
    }


//  Checks if the fields in a BITMAPINFOHEADER won't generate
//  overlows and buffer overruns
//  This is not a complete check and does not guarantee code using this structure will be secure
//  from attack
//  Bugs this is guarding against:
//        1.  Total structure size calculation overflowing
//        2.  biClrUsed > 256 for 8-bit palettized content
//        3.  Total bitmap size in bytes overflowing
//        4.  biSize < size of the base structure leading to accessessing random memory
//        5.  Total structure size exceeding know size of data
//

    __success(return != 0) __inline BOOL ValidateBitmapInfoHeader(
        const BITMAPINFOHEADER *pbmi,   // pointer to structure to check
        __out_range( >= , sizeof(BITMAPINFOHEADER)) DWORD cbSize   // size of memory block containing structure
    )
    {
        DWORD dwWidthInBytes;
        DWORD dwBpp;
        DWORD dwWidthInBits;
        DWORD dwHeight;
        DWORD dwSizeImage;
        DWORD dwClrUsed;

        // Reject bad parameters - do the size check first to avoid reading bad memory
        if(cbSize < sizeof(BITMAPINFOHEADER) ||
           pbmi->biSize < sizeof(BITMAPINFOHEADER) ||
           pbmi->biSize > 4096)
        {
            return FALSE;
        }

        //  Reject 0 size
        if(pbmi->biWidth == 0 || pbmi->biHeight == 0)
        {
            return FALSE;
        }

        // Use bpp of 200 for validating against further overflows if not set for compressed format
        dwBpp = 200;

        if(pbmi->biBitCount > dwBpp)
        {
            return FALSE;
        }

        // Strictly speaking abs can overflow so cast explicitly to DWORD
        dwHeight = (DWORD)abs(pbmi->biHeight);

        if(!MultiplyCheckOverflow(dwBpp, (DWORD)pbmi->biWidth, &dwWidthInBits))
        {
            return FALSE;
        }

        //  Compute correct width in bytes - rounding up to 4 bytes
        dwWidthInBytes = (dwWidthInBits / 8 + 3) & ~3;

        if(!MultiplyCheckOverflow(dwWidthInBytes, dwHeight, &dwSizeImage))
        {
            return FALSE;
        }

        // Fail if total size is 0 - this catches indivual quantities being 0
        // Also don't allow huge values > 1GB which might cause arithmetic
        // errors for users
        if(dwSizeImage > 0x40000000 ||
           pbmi->biSizeImage > 0x40000000)
        {
            return FALSE;
        }

        //  Fail if biClrUsed looks bad
        if(pbmi->biClrUsed > 256)
        {
            return FALSE;
        }

        if(pbmi->biClrUsed == 0 && pbmi->biBitCount <= 8 && pbmi->biBitCount > 0)
        {
            dwClrUsed = (1 << pbmi->biBitCount);
        }
        else
        {
            dwClrUsed = pbmi->biClrUsed;
        }

        //  Check total size
        if(cbSize < pbmi->biSize + dwClrUsed * sizeof(RGBQUAD) +
           (pbmi->biCompression == BI_BITFIELDS ? 3 * sizeof(DWORD) : 0))
        {
            return FALSE;
        }

        //  If it is RGB validate biSizeImage - lots of code assumes the size is correct
        if(pbmi->biCompression == BI_RGB || pbmi->biCompression == BI_BITFIELDS)
        {
            if(pbmi->biSizeImage != 0)
            {
                DWORD dwBits = (DWORD)pbmi->biWidth * (DWORD)pbmi->biBitCount;
                DWORD dwWidthInBytes = ((DWORD)((dwBits + 31) & (~31)) / 8);
                DWORD dwTotalSize = (DWORD)abs(pbmi->biHeight) * dwWidthInBytes;
                if(dwTotalSize > pbmi->biSizeImage)
                {
                    return FALSE;
                }
            }
        }
        return TRUE;
    }

#ifdef __cplusplus
}
#endif

#endif // _CHECKBMI_H_
